Why Enterprises Shouldn't Limit Web Traffic

By Don Reisinger |
Posted 2009-06-18

Why Enterprises Shouldn't Limit Web Traffic

It's become commonplace in
the business world to limit employee Web traffic. At many firms,
regardless of their industry or size, IT managers are being asked to block
access to some sites and in some cases, limit the amount of time users spend on
the Web. By doing so, they can limit the impact malware could have on the
network as employees spend time surfing the Web. They also believe that
the more employees visit their favorite sites and check their email, the less
productive they are. And that translates to poorer business performance.

According to researchers at Websense, an attack called Nine-Ball has targeted
legitimate sites and redirected users accessing those pages to a malicious
site. The attack is the result of a Trojan that used FTP credentials to
input automated bots on the sites. When a Web surfer visits a site that
has been infected, they are brought to a page that contains the exploit
code. The person is then pelted with drive-by attacks that attempt to
exploit Microsoft, Adobe Reader, and QuickTime vulnerabilities. So far,
Websense said the Trojan has a very low detection rate.

For some companies, that's all they need to know. There are real threats
on the Web and if an employee even makes one mistake, they can be subject to
malware that could put the entire network in danger. The end result could
be lost, or worse, stolen data.

But perhaps that solution is nothing more than a quick fix to a much broader
issue. The reality is this: more malware than ever is affecting company
networks, even though the enterprise
is doing everything it can to limit the amount of access employees have to the
Web. Doesn't it stand to reason, then, that if blocking their access was
such a smart move, it would actually work to limit company-wide
outbreaks?

Companies don't need to limit the amount of access employees have to the Web --
they need to learn how to more effectively deal with the threats.

Education

Nowhere is that more evident than in employee education. Simply
blocking an employee's access to certain sites won't help the company stay
safe. Malware is a real issue today because most people don't know what
they have to do to keep themselves safe. Does a company's employee know
not to open attachments from someone using an unknown e-mail address? Do
they know not to visit untrustworthy pornographic sites? Do they know not
to click on every link they see without making sure they're being redirected to
the desired page? Do they know what phishing is and why it's such a major
concern? Do they have apps installed on their computer that are designed
to warn them about possibly malicious sites? And do they know how to
react to those warnings?

These are some basic questions that most companies would probably answer
"no" to. Most companies don't do enough educating of their
employees. And in general, they simply look towards the easy solution --
blocking Web traffic -- instead of looking for the smart solution: educating
employees on the perils of the Web. If employees don't know any better,
how can they be expected to stay safe when faced with an attack like
Nine-Ball? That Trojan uses trusted sites to gain access to a person's
computer. Only education can stop it.

Productivity

It should also be noted that the idea of productivity slipping due to more
access to the Web is a red herring. Whether companies want to admit it or
not, they can't block every Website. And no matter how hard their
employers try, employees will gain access to sites that the company
missed. And the worst part is, they'll be even less productive.

Employees are spending more time trying to find ways around the firewalls than
working. If they had access to the sites they wanted to see, they'd go
there and get back to work sooner.

Along that same line, it's important to remember that productivity can actually
increase by allowing it to decrease. Yes, that might sound
counter-intuitive, but hear me out.

It's December and employee A is really behind on their holiday
shopping. They want to get a few things for the kids at work today, but
when they get
there, they realize they can't access the online store they wanted to
buy the
products from. So, they decide to go on their lunch hour to a
brick-and-mortar to get the products. The only trouble is, the lines
are
long, traffic is bad, and whoops -- that one-hour lunch break just
turned into
a two-hour lunch break.

It gets worse. That same employee is so far behind on their holiday
shopping that they have no other option -- they need to take a Friday off to
make sure it's done before the holidays. That's eight hours of lost work
all because the employee didn't have a chance to buy gifts online at
work. Buying gifts online would have taken no more than one hour. That company just lost eight hours. It's simple math.

And that's the biggest issue with the enterprise blocking Websites. It
might make sense at first glance, but if we take a rational look at things,
it's actually clear that it's quite the opposite -- firewalls cause more
headaches.

So, maybe it's time companies stop focusing on limiting employees and
start
figuring out how to make them happier and thus, keep them working.
Running scared isn't the best option. Freedom and education is the
business world's best bet.